Data Subject Rights Under the NDPA: A Practical Guide for Nigerian Businesses

Under the NDPA 2023, Nigerian residents have specific rights over their personal data. When someone exercises those rights — asks to see their data, correct it, or delete it — your business has a legal obligation to respond.

Most Nigerian businesses have no process for this. No designated inbox. No response template. No person responsible. That's a compliance gap that gets exposed the moment someone sends a request — or the moment NDPC asks whether you have a process.

Here's how to set it up properly.

The rights

Right of access

The data subject can ask: "What personal data do you hold about me?"

You must provide:

• Confirmation that you process their data
• A copy of the personal data you hold
• Information about processing purposes, categories of data, recipients, retention periods, and their other rights

Common in practice: Customer asks "What information do you have on me?" via WhatsApp or email.

Right to rectification

The data subject can ask: "My data is wrong — correct it."

You must:

• Correct inaccurate data without undue delay
• Complete incomplete data if the subject provides the missing information

Common in practice: Customer says their address, phone number, or name spelling is wrong in your system.

Right to deletion (erasure)

The data subject can ask: "Delete my data."

You must delete their data if:

• The data is no longer necessary for the purpose it was collected
• They withdraw consent (and consent was the lawful basis)
• They object to processing and there's no overriding legitimate ground
• The data was processed unlawfully

You can refuse if:

• You need the data for a legal obligation (e.g., tax records, AML requirements)
• You need it for legal claims
• There's an overriding public interest

Common in practice: Former customer asks you to delete their account and all associated data.

Right to restriction of processing

The data subject can ask: "Stop processing my data while we resolve this issue."

Applies when:

• They contest the accuracy of the data (restrict while you verify)
• Processing is unlawful but they don't want deletion
• You no longer need the data but they need it for legal claims

Common in practice: Rare, but happens when there's a dispute about data accuracy.

Right to object

The data subject can object to processing based on legitimate interest or public interest.

You must stop processing unless you can demonstrate compelling legitimate grounds that override the subject's interests.

For direct marketing: The right to object is absolute. If someone says "stop marketing to me," you stop. No balancing test.

Common in practice: Customer says "Stop sending me marketing messages" or "Remove me from your mailing list."

Rights related to automated decision-making

If you make decisions about individuals using automated processing (including AI profiling):

• The subject has the right to know about the automated decision-making
• The right to understand the logic involved
• The right to request human review of an automated decision

Common in practice: A fintech customer whose loan was declined by an AI credit scoring system asks why and requests human review.

Setting up your process

1. Create a request channel

Designate how data subjects can submit requests:

• A dedicated email address (e.g., privacy@yourdomain.com)
• A form on your website
• Through your customer support channels (WhatsApp, phone)

Your privacy notice must tell people how to exercise their rights. If it doesn't include the request channel, update it.

2. Assign responsibility

Someone in your organisation needs to own this process. If you have a DPO, it's them. If not, designate a privacy contact who:

• Receives and logs all requests
• Verifies the identity of the requester
• Coordinates the response across teams
• Ensures deadlines are met

3. Verify identity

Before responding, verify the requester is who they claim to be. You don't want to hand over someone's personal data to an impersonator.

Reasonable verification:

• Request from the email address associated with their account
• Security questions based on account information
• Photo ID for sensitive requests (deletion of financial data, for instance)

Don't make verification so burdensome that it discourages legitimate requests. Match the verification level to the sensitivity of the data.

4. Response timeline

The NDPA gives you 30 days to respond to a data subject request. This can be extended by a further 60 days for complex requests, but you must inform the requester of the extension within the initial 30-day period.

Calendar it. Track every request with date received and deadline.

5. Search and compile

When you receive a request, you need to find all personal data you hold about that person across all systems:

• Customer database / CRM
• Email correspondence
• WhatsApp conversation logs
• Payment records
• Analytics data
• Support tickets
• Any third-party systems that hold their data

This is where most businesses struggle. Data is scattered across multiple platforms with no central index. The first time you handle a request will be painful — use it as motivation to map your data properly.

6. Respond

Provide the requested information in a clear, accessible format. Don't send a database dump. Organise the response so the data subject can understand what you hold and why.

For access requests, include:

• Categories of data you hold
• Why you process it (purposes and lawful basis)
• Who you share it with
• How long you keep it
• Their rights to rectify, delete, or object
• The actual data, in a readable format

7. Log everything

Record every request:

• Date received
• Type of request (access, deletion, etc.)
• Identity verification method
• Date responded
• Outcome
• Any data provided or actions taken

Your DPCO may ask about data subject requests during your annual compliance audit. Your CAR filing should reflect that you have a functioning process.

Special considerations for AI systems

If your business uses AI, data subject rights get more complex:

AI training data. If personal data was used to train a model, can it be deleted from the model? In most cases, no — data embedded in model weights can't be extracted. Document this limitation. Ensure future training runs exclude the subject's data.

AI-assisted decisions. If AI was involved in a decision about the person (credit scoring, fraud flagging, insurance pricing), they have the right to understand the logic and request human review. Your AI system needs to produce explainable outputs, not just a score.

Conversation data. If your AI chatbot stores conversation logs, those are personal data. Access requests require you to retrieve them. Deletion requests require you to purge them from your systems AND confirm the AI provider has deleted their copy.

Profiling. If you use AI to profile customers (segment, score, categorise), data subjects can object. If they do, you must stop the profiling unless you have compelling legitimate grounds.

When you can refuse

You can refuse a data subject request if:

• You can't verify their identity
• The request is manifestly unfounded or excessive (repeated identical requests)
• Compliance would require disproportionate effort (but document why)
• A legal exemption applies (legal obligation to retain, legal claims, etc.)

If you refuse, you must tell the subject why and inform them of their right to complain to NDPC.

---

Need help setting up your data subject rights process? We design the workflows, create the templates, and train your team. Part of our NDPA compliance programmes. Talk to us.